@pagopa/io-react-native-wallet 1.1.2 → 1.2.2

package/lib/module/credential/presentation/01-start-flow.js

@@ -1,6 +1,5 @@
 import * as z from "zod";
-import { decodeBase64 } from "@pagopa/io-react-native-jwt";
-import { AuthRequestDecodeError } from "./errors";
+import { InvalidQRCodeError } from "./errors";
 const QRCodePayload = z.object({
   protocol: z.string(),
   resource: z.string(),
@@ -27,10 +26,13 @@ const QRCodePayload = z.object({
 export const startFlowFromQR = qrcode => {
   let decodedUrl;
   try {
-    const decoded = decodeBase64(qrcode);
-    decodedUrl = new URL(decoded);
+    var _originalQrCode$;
+    // splitting qrcode to identify which is link format
+    const originalQrCode = qrcode.split("://");
+    const replacedQrcode = (_originalQrCode$ = originalQrCode[1]) !== null && _originalQrCode$ !== void 0 && _originalQrCode$.startsWith("?") ? qrcode.replace(`${originalQrCode[0]}://`, "https://wallet.example/") : qrcode;
+    decodedUrl = new URL(replacedQrcode);
   } catch (error) {
-    throw new AuthRequestDecodeError("Failed to decode QR code: ", qrcode);
+    throw new InvalidQRCodeError(`Failed to decode QR code:  ${qrcode}`);
   }
   const protocol = decodedUrl.protocol;
   const resource = decodedUrl.hostname;
@@ -45,7 +47,7 @@ export const startFlowFromQR = qrcode => {
   if (result.success) {
     return result.data;
   } else {
-    throw new AuthRequestDecodeError(result.error.message, `${decodedUrl}`);
+    throw new InvalidQRCodeError(`${result.error.message}, ${decodedUrl}`);
   }
 };
 //# sourceMappingURL=01-start-flow.js.map

package/lib/module/credential/presentation/01-start-flow.js.map

@@ -1 +1 @@
-{"version":3,"names":["z","decodeBase64","AuthRequestDecodeError","QRCodePayload","object","protocol","string","resource","clientId","requestURI","startFlowFromQR","qrcode","decodedUrl","decoded","URL","error","hostname","searchParams","get","result","safeParse","success","data","message"],"sourceRoot":"../../../../src","sources":["credential/presentation/01-start-flow.ts"],"mappings":"AAAA,OAAO,KAAKA,CAAC,MAAM,KAAK;AACxB,SAASC,YAAY,QAAQ,6BAA6B;AAC1D,SAASC,sBAAsB,QAAQ,UAAU;AAEjD,MAAMC,aAAa,GAAGH,CAAC,CAACI,MAAM,CAAC;EAC7BC,QAAQ,EAAEL,CAAC,CAACM,MAAM,CAAC,CAAC;EACpBC,QAAQ,EAAEP,CAAC,CAACM,MAAM,CAAC,CAAC;EAAE;EACtBE,QAAQ,EAAER,CAAC,CAACM,MAAM,CAAC,CAAC;EACpBG,UAAU,EAAET,CAAC,CAACM,MAAM,CAAC;AACvB,CAAC,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMI,eAAoC,GAAIC,MAAM,IAAK;EAC9D,IAAIC,UAAe;EACnB,IAAI;IACF,MAAMC,OAAO,GAAGZ,YAAY,CAACU,MAAM,CAAC;IACpCC,UAAU,GAAG,IAAIE,GAAG,CAACD,OAAO,CAAC;EAC/B,CAAC,CAAC,OAAOE,KAAK,EAAE;IACd,MAAM,IAAIb,sBAAsB,CAAC,4BAA4B,EAAES,MAAM,CAAC;EACxE;EAEA,MAAMN,QAAQ,GAAGO,UAAU,CAACP,QAAQ;EACpC,MAAME,QAAQ,GAAGK,UAAU,CAACI,QAAQ;EACpC,MAAMP,UAAU,GAAGG,UAAU,CAACK,YAAY,CAACC,GAAG,CAAC,aAAa,CAAC;EAC7D,MAAMV,QAAQ,GAAGI,UAAU,CAACK,YAAY,CAACC,GAAG,CAAC,WAAW,CAAC;EAEzD,MAAMC,MAAM,GAAGhB,aAAa,CAACiB,SAAS,CAAC;IACrCf,QAAQ;IACRE,QAAQ;IACRE,UAAU;IACVD;EACF,CAAC,CAAC;EAEF,IAAIW,MAAM,CAACE,OAAO,EAAE;IAClB,OAAOF,MAAM,CAACG,IAAI;EACpB,CAAC,MAAM;IACL,MAAM,IAAIpB,sBAAsB,CAACiB,MAAM,CAACJ,KAAK,CAACQ,OAAO,EAAG,GAAEX,UAAW,EAAC,CAAC;EACzE;AACF,CAAC"}
+{"version":3,"names":["z","InvalidQRCodeError","QRCodePayload","object","protocol","string","resource","clientId","requestURI","startFlowFromQR","qrcode","decodedUrl","_originalQrCode$","originalQrCode","split","replacedQrcode","startsWith","replace","URL","error","hostname","searchParams","get","result","safeParse","success","data","message"],"sourceRoot":"../../../../src","sources":["credential/presentation/01-start-flow.ts"],"mappings":"AAAA,OAAO,KAAKA,CAAC,MAAM,KAAK;AACxB,SAASC,kBAAkB,QAAQ,UAAU;AAE7C,MAAMC,aAAa,GAAGF,CAAC,CAACG,MAAM,CAAC;EAC7BC,QAAQ,EAAEJ,CAAC,CAACK,MAAM,CAAC,CAAC;EACpBC,QAAQ,EAAEN,CAAC,CAACK,MAAM,CAAC,CAAC;EAAE;EACtBE,QAAQ,EAAEP,CAAC,CAACK,MAAM,CAAC,CAAC;EACpBG,UAAU,EAAER,CAAC,CAACK,MAAM,CAAC;AACvB,CAAC,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMI,eAAoC,GAAIC,MAAM,IAAK;EAC9D,IAAIC,UAAe;EACnB,IAAI;IAAA,IAAAC,gBAAA;IACF;IACA,MAAMC,cAAc,GAAGH,MAAM,CAACI,KAAK,CAAC,KAAK,CAAC;IAC1C,MAAMC,cAAc,GAAG,CAAAH,gBAAA,GAAAC,cAAc,CAAC,CAAC,CAAC,cAAAD,gBAAA,eAAjBA,gBAAA,CAAmBI,UAAU,CAAC,GAAG,CAAC,GACrDN,MAAM,CAACO,OAAO,CAAE,GAAEJ,cAAc,CAAC,CAAC,CAAE,KAAI,EAAE,yBAAyB,CAAC,GACpEH,MAAM;IAEVC,UAAU,GAAG,IAAIO,GAAG,CAACH,cAAc,CAAC;EACtC,CAAC,CAAC,OAAOI,KAAK,EAAE;IACd,MAAM,IAAIlB,kBAAkB,CAAE,8BAA6BS,MAAO,EAAC,CAAC;EACtE;EAEA,MAAMN,QAAQ,GAAGO,UAAU,CAACP,QAAQ;EACpC,MAAME,QAAQ,GAAGK,UAAU,CAACS,QAAQ;EACpC,MAAMZ,UAAU,GAAGG,UAAU,CAACU,YAAY,CAACC,GAAG,CAAC,aAAa,CAAC;EAC7D,MAAMf,QAAQ,GAAGI,UAAU,CAACU,YAAY,CAACC,GAAG,CAAC,WAAW,CAAC;EAEzD,MAAMC,MAAM,GAAGrB,aAAa,CAACsB,SAAS,CAAC;IACrCpB,QAAQ;IACRE,QAAQ;IACRE,UAAU;IACVD;EACF,CAAC,CAAC;EAEF,IAAIgB,MAAM,CAACE,OAAO,EAAE;IAClB,OAAOF,MAAM,CAACG,IAAI;EACpB,CAAC,MAAM;IACL,MAAM,IAAIzB,kBAAkB,CAAE,GAAEsB,MAAM,CAACJ,KAAK,CAACQ,OAAQ,KAAIhB,UAAW,EAAC,CAAC;EACxE;AACF,CAAC"}

package/lib/module/credential/presentation/03-get-request-object.js

@@ -0,0 +1,39 @@
+import uuid from "react-native-uuid";
+import { sha256ToBase64 } from "@pagopa/io-react-native-jwt";
+import { createDPopToken } from "../../utils/dpop";
+import { hasStatusOrThrow } from "../../utils/misc";
+/**
+ * Obtain the Request Object for RP authentication
+ * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
+ *
+ * @param requestUri The url for the Relying Party to connect with
+ * @param rpConf The Relying Party's configuration
+ * @param context.wiaCryptoContext The context to access the key associated with the Wallet Instance Attestation
+ * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @returns The Request Object that describes the presentation
+ */
+export const getRequestObject = async (requestUri, _ref) => {
+  let {
+    wiaCryptoContext,
+    appFetch = fetch,
+    walletInstanceAttestation
+  } = _ref;
+  const signedWalletInstanceDPoP = await createDPopToken({
+    jti: `${uuid.v4()}`,
+    htm: "GET",
+    htu: requestUri,
+    ath: await sha256ToBase64(walletInstanceAttestation)
+  }, wiaCryptoContext);
+  const requestObjectEncodedJwt = await appFetch(requestUri, {
+    method: "GET",
+    headers: {
+      Authorization: `DPoP ${walletInstanceAttestation}`,
+      DPoP: signedWalletInstanceDPoP
+    }
+  }).then(hasStatusOrThrow(200)).then(res => res.text());
+  return {
+    requestObjectEncodedJwt
+  };
+};
+//# sourceMappingURL=03-get-request-object.js.map

package/lib/module/credential/presentation/03-get-request-object.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["uuid","sha256ToBase64","createDPopToken","hasStatusOrThrow","getRequestObject","requestUri","_ref","wiaCryptoContext","appFetch","fetch","walletInstanceAttestation","signedWalletInstanceDPoP","jti","v4","htm","htu","ath","requestObjectEncodedJwt","method","headers","Authorization","DPoP","then","res","text"],"sourceRoot":"../../../../src","sources":["credential/presentation/03-get-request-object.ts"],"mappings":"AAAA,OAAOA,IAAI,MAAM,mBAAmB;AACpC,SACEC,cAAc,QAET,6BAA6B;AAEpC,SAASC,eAAe,QAAQ,kBAAkB;AAClD,SAASC,gBAAgB,QAAkB,kBAAkB;AAY7D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,gBAAkC,GAAG,MAAAA,CAChDC,UAAU,EAAAC,IAAA,KAEP;EAAA,IADH;IAAEC,gBAAgB;IAAEC,QAAQ,GAAGC,KAAK;IAAEC;EAA0B,CAAC,GAAAJ,IAAA;EAEjE,MAAMK,wBAAwB,GAAG,MAAMT,eAAe,CACpD;IACEU,GAAG,EAAG,GAAEZ,IAAI,CAACa,EAAE,CAAC,CAAE,EAAC;IACnBC,GAAG,EAAE,KAAK;IACVC,GAAG,EAAEV,UAAU;IACfW,GAAG,EAAE,MAAMf,cAAc,CAACS,yBAAyB;EACrD,CAAC,EACDH,gBACF,CAAC;EAED,MAAMU,uBAAuB,GAAG,MAAMT,QAAQ,CAACH,UAAU,EAAE;IACzDa,MAAM,EAAE,KAAK;IACbC,OAAO,EAAE;MACPC,aAAa,EAAG,QAAOV,yBAA0B,EAAC;MAClDW,IAAI,EAAEV;IACR;EACF,CAAC,CAAC,CACCW,IAAI,CAACnB,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BmB,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;EAE5B,OAAO;IACLP;EACF,CAAC;AACH,CAAC"}

package/lib/module/credential/presentation/04-retrieve-rp-jwks.js

@@ -0,0 +1,75 @@
+import { JWKS, JWK } from "../../utils/jwk";
+import { hasStatusOrThrow } from "../../utils/misc";
+import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
+import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
+
+/**
+ * Defines the signature for a function that retrieves JSON Web Key Sets (JWKS) from a client.
+ *
+ * @template T - The tuple type representing the function arguments.
+ * @param args - The arguments passed to the function.
+ * @returns A promise resolving to an object containing an array of JWKs.
+ */
+
+/**
+ * Retrieves the JSON Web Key Set (JWKS) from the specified client's well-known endpoint.
+ * It is formed using `{issUrl.base}/.well-known/jar-issuer${issUrl.pah}` as explained in SD-JWT VC issuer metadata section
+ *
+ * @param requestObjectEncodedJwt - Request Object in JWT format.
+ * @param options - Optional context containing a custom fetch implementation.
+ * @param options.context - Optional context object.
+ * @param options.context.appFetch - Optional custom fetch function to use instead of the global `fetch`.
+ * @returns A promise resolving to an object containing an array of JWKs.
+ * @throws Will throw an error if the JWKS retrieval fails.
+ */
+export const fetchJwksFromRequestObject = async function (requestObjectEncodedJwt) {
+  var _requestObjectJwt$pro, _requestObjectJwt$pay;
+  let {
+    context = {}
+  } = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
+  const {
+    appFetch = fetch
+  } = context;
+  const requestObjectJwt = decodeJwt(requestObjectEncodedJwt);
+
+  // 1. check if request object jwt contains the 'jwk' attribute
+  if ((_requestObjectJwt$pro = requestObjectJwt.protectedHeader) !== null && _requestObjectJwt$pro !== void 0 && _requestObjectJwt$pro.jwk) {
+    return {
+      keys: [JWK.parse(requestObjectJwt.protectedHeader.jwk)]
+    };
+  }
+
+  // 2. According to Potential profile, retrieve from RP endpoint using iss claim
+  const issClaimValue = (_requestObjectJwt$pay = requestObjectJwt.payload) === null || _requestObjectJwt$pay === void 0 ? void 0 : _requestObjectJwt$pay.iss;
+  if (issClaimValue) {
+    const issUrl = new URL(issClaimValue);
+    const wellKnownUrl = new URL(`/.well-known/jar-issuer${issUrl.pathname}`, `${issUrl.protocol}//${issUrl.host}`).toString();
+
+    // Fetches the JWKS from a specific endpoint of the entity's well-known configuration
+    const jwks = await appFetch(wellKnownUrl, {
+      method: "GET"
+    }).then(hasStatusOrThrow(200)).then(raw => raw.json()).then(json => JWKS.parse(json.jwks));
+    return {
+      keys: jwks.keys
+    };
+  }
+  throw new NoSuitableKeysFoundInEntityConfiguration("Request Object signature verification");
+};
+
+/**
+ * Retrieves the JSON Web Key Set (JWKS) from a Relying Party's entity configuration.
+ *
+ * @param rpConfig - The configuration object of the Relying Party entity.
+ * @returns An object containing an array of JWKs.
+ * @throws Will throw an error if the configuration is invalid or if JWKS is not found.
+ */
+export const fetchJwksFromConfig = async rpConfig => {
+  const jwks = rpConfig.wallet_relying_party.jwks;
+  if (!jwks || !Array.isArray(jwks.keys)) {
+    throw new Error("JWKS not found in Relying Party configuration.");
+  }
+  return {
+    keys: jwks.keys
+  };
+};
+//# sourceMappingURL=04-retrieve-rp-jwks.js.map

package/lib/module/credential/presentation/04-retrieve-rp-jwks.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["JWKS","JWK","hasStatusOrThrow","decode","decodeJwt","NoSuitableKeysFoundInEntityConfiguration","fetchJwksFromRequestObject","requestObjectEncodedJwt","_requestObjectJwt$pro","_requestObjectJwt$pay","context","arguments","length","undefined","appFetch","fetch","requestObjectJwt","protectedHeader","jwk","keys","parse","issClaimValue","payload","iss","issUrl","URL","wellKnownUrl","pathname","protocol","host","toString","jwks","method","then","raw","json","fetchJwksFromConfig","rpConfig","wallet_relying_party","Array","isArray","Error"],"sourceRoot":"../../../../src","sources":["credential/presentation/04-retrieve-rp-jwks.ts"],"mappings":"AAAA,SAASA,IAAI,EAAEC,GAAG,QAAQ,iBAAiB;AAC3C,SAASC,gBAAgB,QAAQ,kBAAkB;AAEnD,SAASC,MAAM,IAAIC,SAAS,QAAQ,6BAA6B;AACjE,SAASC,wCAAwC,QAAQ,UAAU;;AAEnE;AACA;AACA;AACA;AACA;AACA;AACA;;AAKA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,0BAEZ,GAAG,eAAAA,CAAOC,uBAAuB,EAA4B;EAAA,IAAAC,qBAAA,EAAAC,qBAAA;EAAA,IAA1B;IAAEC,OAAO,GAAG,CAAC;EAAE,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EACvD,MAAM;IAAEG,QAAQ,GAAGC;EAAM,CAAC,GAAGL,OAAO;EACpC,MAAMM,gBAAgB,GAAGZ,SAAS,CAACG,uBAAuB,CAAC;;EAE3D;EACA,KAAAC,qBAAA,GAAIQ,gBAAgB,CAACC,eAAe,cAAAT,qBAAA,eAAhCA,qBAAA,CAAkCU,GAAG,EAAE;IACzC,OAAO;MACLC,IAAI,EAAE,CAAClB,GAAG,CAACmB,KAAK,CAACJ,gBAAgB,CAACC,eAAe,CAACC,GAAG,CAAC;IACxD,CAAC;EACH;;EAEA;EACA,MAAMG,aAAa,IAAAZ,qBAAA,GAAGO,gBAAgB,CAACM,OAAO,cAAAb,qBAAA,uBAAxBA,qBAAA,CAA0Bc,GAAa;EAC7D,IAAIF,aAAa,EAAE;IACjB,MAAMG,MAAM,GAAG,IAAIC,GAAG,CAACJ,aAAa,CAAC;IACrC,MAAMK,YAAY,GAAG,IAAID,GAAG,CACzB,0BAAyBD,MAAM,CAACG,QAAS,EAAC,EAC1C,GAAEH,MAAM,CAACI,QAAS,KAAIJ,MAAM,CAACK,IAAK,EACrC,CAAC,CAACC,QAAQ,CAAC,CAAC;;IAEZ;IACA,MAAMC,IAAI,GAAG,MAAMjB,QAAQ,CAACY,YAAY,EAAE;MACxCM,MAAM,EAAE;IACV,CAAC,CAAC,CACCC,IAAI,CAAC/B,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3B+B,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEE,IAAI,IAAKnC,IAAI,CAACoB,KAAK,CAACe,IAAI,CAACJ,IAAI,CAAC,CAAC;IAExC,OAAO;MACLZ,IAAI,EAAEY,IAAI,CAACZ;IACb,CAAC;EACH;EAEA,MAAM,IAAId,wCAAwC,CAChD,uCACF,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM+B,mBAEZ,GAAG,MAAOC,QAAQ,IAAK;EACtB,MAAMN,IAAI,GAAGM,QAAQ,CAACC,oBAAoB,CAACP,IAAI;EAE/C,IAAI,CAACA,IAAI,IAAI,CAACQ,KAAK,CAACC,OAAO,CAACT,IAAI,CAACZ,IAAI,CAAC,EAAE;IACtC,MAAM,IAAIsB,KAAK,CAAC,gDAAgD,CAAC;EACnE;EAEA,OAAO;IACLtB,IAAI,EAAEY,IAAI,CAACZ;EACb,CAAC;AACH,CAAC"}

package/lib/module/credential/presentation/05-verify-request-object.js

@@ -0,0 +1,28 @@
+import { UnverifiedEntityError } from "./errors";
+import { decode as decodeJwt, verify } from "@pagopa/io-react-native-jwt";
+import { RequestObject } from "./types";
+export const verifyRequestObjectSignature = async (requestObjectEncodedJwt, jwkKeys) => {
+  const requestObjectJwt = decodeJwt(requestObjectEncodedJwt);
+
+  // verify token signature to ensure the request object is authentic
+  const pubKey = jwkKeys === null || jwkKeys === void 0 ? void 0 : jwkKeys.find(_ref => {
+    let {
+      kid
+    } = _ref;
+    return kid === requestObjectJwt.protectedHeader.kid;
+  });
+  if (!pubKey) {
+    throw new UnverifiedEntityError("Request Object signature verification!");
+  }
+  await verify(requestObjectEncodedJwt, pubKey);
+  const requestObject = RequestObject.parse(requestObjectJwt.payload);
+  // Check if exp exists and is expired
+  // exp is typically in seconds since epoch, Get current time in seconds
+  if (requestObject.exp && requestObject.exp <= Date.now() / 1000) {
+    throw new UnverifiedEntityError("Request Object is expired!");
+  }
+  return {
+    requestObject
+  };
+};
+//# sourceMappingURL=05-verify-request-object.js.map

package/lib/module/credential/presentation/05-verify-request-object.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["UnverifiedEntityError","decode","decodeJwt","verify","RequestObject","verifyRequestObjectSignature","requestObjectEncodedJwt","jwkKeys","requestObjectJwt","pubKey","find","_ref","kid","protectedHeader","requestObject","parse","payload","exp","Date","now"],"sourceRoot":"../../../../src","sources":["credential/presentation/05-verify-request-object.ts"],"mappings":"AAAA,SAASA,qBAAqB,QAAQ,UAAU;AAEhD,SAASC,MAAM,IAAIC,SAAS,EAAEC,MAAM,QAAQ,6BAA6B;AACzE,SAASC,aAAa,QAAQ,SAAS;AASvC,OAAO,MAAMC,4BAA0D,GACrE,MAAAA,CAAOC,uBAAuB,EAAEC,OAAO,KAAK;EAC1C,MAAMC,gBAAgB,GAAGN,SAAS,CAACI,uBAAuB,CAAC;;EAE3D;EACA,MAAMG,MAAM,GAAGF,OAAO,aAAPA,OAAO,uBAAPA,OAAO,CAAEG,IAAI,CAC1BC,IAAA;IAAA,IAAC;MAAEC;IAAI,CAAC,GAAAD,IAAA;IAAA,OAAKC,GAAG,KAAKJ,gBAAgB,CAACK,eAAe,CAACD,GAAG;EAAA,CAC3D,CAAC;EAED,IAAI,CAACH,MAAM,EAAE;IACX,MAAM,IAAIT,qBAAqB,CAAC,wCAAwC,CAAC;EAC3E;EACA,MAAMG,MAAM,CAACG,uBAAuB,EAAEG,MAAM,CAAC;EAE7C,MAAMK,aAAa,GAAGV,aAAa,CAACW,KAAK,CAACP,gBAAgB,CAACQ,OAAO,CAAC;EACnE;EACA;EACA,IAAIF,aAAa,CAACG,GAAG,IAAIH,aAAa,CAACG,GAAG,IAAIC,IAAI,CAACC,GAAG,CAAC,CAAC,GAAG,IAAI,EAAE;IAC/D,MAAM,IAAInB,qBAAqB,CAAC,4BAA4B,CAAC;EAC/D;EAEA,OAAO;IAAEc;EAAc,CAAC;AAC1B,CAAC"}

package/lib/module/credential/presentation/06-fetch-presentation-definition.js

@@ -0,0 +1,56 @@
+import { PresentationDefinition } from "./types";
+import { hasStatusOrThrow } from "../../utils/misc";
+/**
+ * Retrieves a PresentationDefinition based on the given parameters.
+ *
+ * The method attempts the following strategies in order:
+ * 1. Checks if `presentation_definition` is directly available in the request object.
+ * 2. Fetches the `presentation_definition` from the URI provided in the relying party configuration.
+ * 3. Uses a pre-configured `presentation_definition` from the relying party configuration if the `scope` is present in the request object.
+ *
+ * If none of the above conditions are met, the function throws an error indicating the definition could not be found.
+ *
+ * @param {RequestObject} requestObject - The request object containing the presentation definition or references to it.
+ * @param {RelyingPartyEntityConfiguration["payload"]["metadata"]} [rpConf] - Optional relying party configuration.
+ * @param {Object} [context] - Optional context for providing a custom fetch implementation.
+ * @param {GlobalFetch["fetch"]} [context.appFetch] - Custom fetch function, defaults to global `fetch`.
+ * @returns {Promise<{ presentationDefinition: PresentationDefinition }>} - Resolves with the presentation definition.
+ * @throws {Error} - Throws if the presentation definition cannot be found or fetched.
+ */
+export const fetchPresentDefinition = async function (requestObject) {
+  var _rpConf$wallet_relyin, _rpConf$wallet_relyin2;
+  let {
+    appFetch = fetch
+  } = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
+  let rpConf = arguments.length > 2 ? arguments[2] : undefined;
+  // Check if `presentation_definition` is directly available in the request object
+  if (requestObject.presentation_definition) {
+    return {
+      presentationDefinition: requestObject.presentation_definition
+    };
+  }
+
+  // Check if `presentation_definition_uri` is provided in the relying party configuration
+  if (rpConf !== null && rpConf !== void 0 && (_rpConf$wallet_relyin = rpConf.wallet_relying_party) !== null && _rpConf$wallet_relyin !== void 0 && _rpConf$wallet_relyin.presentation_definition_uri) {
+    try {
+      // Fetch the presentation definition from the provided URI
+      const presentationDefinition = await appFetch(rpConf === null || rpConf === void 0 ? void 0 : rpConf.wallet_relying_party.presentation_definition_uri, {
+        method: "GET"
+      }).then(hasStatusOrThrow(200)).then(raw => raw.json()).then(json => PresentationDefinition.parse(json));
+      return {
+        presentationDefinition
+      };
+    } catch (error) {
+      throw new Error(`Failed to fetch presentation definition: ${error}`);
+    }
+  }
+
+  // Check if `scope` is present in the request object and a pre-configured presentation definition exists
+  if (requestObject.scope && rpConf !== null && rpConf !== void 0 && (_rpConf$wallet_relyin2 = rpConf.wallet_relying_party) !== null && _rpConf$wallet_relyin2 !== void 0 && _rpConf$wallet_relyin2.presentation_definition) {
+    return {
+      presentationDefinition: rpConf.wallet_relying_party.presentation_definition
+    };
+  }
+  throw new Error("Presentation definition not found");
+};
+//# sourceMappingURL=06-fetch-presentation-definition.js.map

package/lib/module/credential/presentation/06-fetch-presentation-definition.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["PresentationDefinition","hasStatusOrThrow","fetchPresentDefinition","requestObject","_rpConf$wallet_relyin","_rpConf$wallet_relyin2","appFetch","fetch","arguments","length","undefined","rpConf","presentation_definition","presentationDefinition","wallet_relying_party","presentation_definition_uri","method","then","raw","json","parse","error","Error","scope"],"sourceRoot":"../../../../src","sources":["credential/presentation/06-fetch-presentation-definition.ts"],"mappings":"AAAA,SAASA,sBAAsB,QAAuB,SAAS;AAE/D,SAASC,gBAAgB,QAAQ,kBAAkB;AAYnD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,sBAAmD,GAAG,eAAAA,CACjEC,aAAa,EAGV;EAAA,IAAAC,qBAAA,EAAAC,sBAAA;EAAA,IAFH;IAAEC,QAAQ,GAAGC;EAAM,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAAA,IACzBG,MAAM,GAAAH,SAAA,CAAAC,MAAA,OAAAD,SAAA,MAAAE,SAAA;EAEN;EACA,IAAIP,aAAa,CAACS,uBAAuB,EAAE;IACzC,OAAO;MACLC,sBAAsB,EAAEV,aAAa,CAACS;IACxC,CAAC;EACH;;EAEA;EACA,IAAID,MAAM,aAANA,MAAM,gBAAAP,qBAAA,GAANO,MAAM,CAAEG,oBAAoB,cAAAV,qBAAA,eAA5BA,qBAAA,CAA8BW,2BAA2B,EAAE;IAC7D,IAAI;MACF;MACA,MAAMF,sBAAsB,GAAG,MAAMP,QAAQ,CAC3CK,MAAM,aAANA,MAAM,uBAANA,MAAM,CAAEG,oBAAoB,CAACC,2BAA2B,EACxD;QACEC,MAAM,EAAE;MACV,CACF,CAAC,CACEC,IAAI,CAAChB,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BgB,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEE,IAAI,IAAKnB,sBAAsB,CAACoB,KAAK,CAACD,IAAI,CAAC,CAAC;MAErD,OAAO;QACLN;MACF,CAAC;IACH,CAAC,CAAC,OAAOQ,KAAK,EAAE;MACd,MAAM,IAAIC,KAAK,CAAE,4CAA2CD,KAAM,EAAC,CAAC;IACtE;EACF;;EAEA;EACA,IACElB,aAAa,CAACoB,KAAK,IACnBZ,MAAM,aAANA,MAAM,gBAAAN,sBAAA,GAANM,MAAM,CAAEG,oBAAoB,cAAAT,sBAAA,eAA5BA,sBAAA,CAA8BO,uBAAuB,EACrD;IACA,OAAO;MACLC,sBAAsB,EACpBF,MAAM,CAACG,oBAAoB,CAACF;IAChC,CAAC;EACH;EAEA,MAAM,IAAIU,KAAK,CAAC,mCAAmC,CAAC;AACtD,CAAC"}

package/lib/module/credential/presentation/07-evaluate-input-descriptor.js

@@ -0,0 +1,161 @@
+import { JSONPath } from "jsonpath-plus";
+import { MissingDataError } from "./errors";
+import Ajv from "ajv";
+const ajv = new Ajv({
+  allErrors: true
+});
+const INDEX_CLAIM_NAME = 1;
+/**
+ * Transforms an array of DisclosureWithEncoded objects into a key-value map.
+ * @param disclosures - An array of DisclosureWithEncoded, each containing a decoded property with [?, claimName, claimValue].
+ * @returns An object mapping claim names to their corresponding values.
+ */
+const mapDisclosuresToObject = disclosures => {
+  return disclosures.reduce((obj, _ref) => {
+    let {
+      decoded
+    } = _ref;
+    const [, claimName, claimValue] = decoded;
+    obj[claimName] = claimValue;
+    return obj;
+  }, {});
+};
+
+/**
+ * Finds a claim within the payload based on provided JSONPath expressions.
+ * @param paths - An array of JSONPath expressions to search for in the payload.
+ * @param payload - The object to search within using JSONPath.
+ * @returns A tuple with the first matched JSONPath and its corresponding value, or [undefined, undefined] if not found.
+ */
+const findMatchedClaim = (paths, payload) => {
+  let matchedPath;
+  let matchedValue;
+  paths.some(singlePath => {
+    try {
+      const result = JSONPath({
+        path: singlePath,
+        json: payload
+      });
+      if (result.length > 0) {
+        matchedPath = singlePath;
+        matchedValue = result[0];
+        return true;
+      }
+    } catch (error) {
+      throw new MissingDataError(`JSONPath for "${singlePath}" does not match the provided payload.`);
+    }
+    return false;
+  });
+  return [matchedPath, matchedValue];
+};
+
+/**
+ * Extracts the claim name from a path that can be in one of the following formats:
+ * 1. $.propertyName
+ * 2. $["propertyName"] or $['propertyName']
+ *
+ * @param path - The path string containing the claim reference.
+ * @returns The extracted claim name if matched; otherwise, throws an exception.
+ */
+const extractClaimName = path => {
+  // Define a regular expression that matches both formats:
+  // 1. $.propertyName
+  // 2. $["propertyName"] or $['propertyName']
+  const regex = /^\$\.(\w+)$|^\$\[(?:'|")(\w+)(?:'|")\]$/;
+  const match = path.match(regex);
+  if (match) {
+    // match[1] corresponds to the first capture group (\w+) after $.
+    // match[2] corresponds to the second capture group (\w+) inside [""] or ['']
+    return match[1] || match[2];
+  }
+
+  // If the input doesn't match any of the expected formats, return null
+
+  throw new Error(`Invalid input format: "${path}". Expected formats are "$.propertyName", "$['propertyName']", or '$["propertyName"]'.`);
+};
+
+/**
+ * Evaluates an InputDescriptor for an SD-JWT-based verifiable credential.
+ *
+ * - Checks each field in the InputDescriptor against the provided `payloadCredential`
+ *   and `disclosures` (selectively disclosed claims).
+ * - Validates whether required fields are present (unless marked optional)
+ *   and match any specified JSONPath.
+ * - If a field includes a JSON Schema filter, validates the claim value against that schema.
+ * - Enforces `limit_disclosure` rules by returning only disclosures matching the specified fields
+ *   if set to "required". Otherwise return the array of all disclosures.
+ * - Throws an error if a required field is invalid or missing.
+ *
+ * @param inputDescriptor - Describes constraints (fields, filters, etc.) that must be satisfied.
+ * @param payloadCredential - The credential payload to check against.
+ * @param disclosures - An array of DisclosureWithEncoded objects representing selective disclosures.
+ * @returns A filtered list of disclosures satisfying the descriptor constraints, or throws an error if not.
+ * @throws Will throw an error if any required constraint fails or if JSONPath lookups are invalid.
+ */
+export const evaluateInputDescriptorForSdJwt4VC = (inputDescriptor, payloadCredential, disclosures) => {
+  var _inputDescriptor$cons;
+  if (!(inputDescriptor !== null && inputDescriptor !== void 0 && (_inputDescriptor$cons = inputDescriptor.constraints) !== null && _inputDescriptor$cons !== void 0 && _inputDescriptor$cons.fields)) {
+    // No validation, all field are optional
+    return {
+      requiredDisclosures: [],
+      optionalDisclosures: disclosures
+    };
+  }
+  const requiredClaimNames = [];
+  const optionalClaimNames = [];
+
+  // Transform disclosures to find claim using JSONPath
+  const disclosuresAsPayload = mapDisclosuresToObject(disclosures);
+
+  // For each field, we need at least one matching path
+  // If we succeed, we push the matched disclosure in matchedDisclosures and stop checking further paths
+  const allFieldsValid = inputDescriptor.constraints.fields.every(field => {
+    // For Potential profile, selectively disclosed claims will always be built as an individual object property, by using a name-value pair.
+    // Hence that selective claim for array element and recursive disclosures are not supported by Potential for the first iteration of Piloting.
+    // We need to check inside disclosures or inside credential payload. Example path: "$.given_name"
+    let [matchedPath, matchedValue] = findMatchedClaim(field.path, disclosuresAsPayload);
+    if (!matchedPath) {
+      [matchedPath, matchedValue] = findMatchedClaim(field.path, payloadCredential);
+      if (!matchedPath) {
+        // Path could be optional, in this case no need to validate! continue to next field
+        return field === null || field === void 0 ? void 0 : field.optional;
+      }
+    } else {
+      // if match a disclouse we save which is required or optional
+      const claimName = extractClaimName(matchedPath);
+      if (claimName) {
+        (field !== null && field !== void 0 && field.optional ? optionalClaimNames : requiredClaimNames).push(claimName);
+      }
+    }
+
+    // FILTER validation
+    // If this field has a "filter" (JSON Schema), validate the claimValue
+    if (field.filter) {
+      try {
+        const validateSchema = ajv.compile(field.filter);
+        if (!validateSchema(matchedValue)) {
+          throw new MissingDataError(`Claim value "${matchedValue}" for path "${matchedPath}" does not match the provided JSON Schema.`);
+        }
+      } catch (error) {
+        return false;
+      }
+    }
+    // Submission Requirements validation
+    // TODO: [EUDIW-216] Read rule value if “all” o “pick” and validate
+
+    return true;
+  });
+  if (!allFieldsValid) {
+    throw new MissingDataError("Credential validation failed: Required fields are missing or do not match the input descriptor.");
+  }
+
+  // Categorizes disclosures into required and optional based on claim names and disclosure constraints.
+  const isNotLimitDisclosure = !(inputDescriptor.constraints.limit_disclosure === "required");
+  const requiredDisclosures = disclosures.filter(disclosure => requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME]));
+  const optionalDisclosures = disclosures.filter(disclosure => optionalClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME]) || isNotLimitDisclosure && !requiredClaimNames.includes(disclosure.decoded[INDEX_CLAIM_NAME]));
+  return {
+    requiredDisclosures,
+    optionalDisclosures
+  };
+};
+//# sourceMappingURL=07-evaluate-input-descriptor.js.map

package/lib/module/credential/presentation/07-evaluate-input-descriptor.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["JSONPath","MissingDataError","Ajv","ajv","allErrors","INDEX_CLAIM_NAME","mapDisclosuresToObject","disclosures","reduce","obj","_ref","decoded","claimName","claimValue","findMatchedClaim","paths","payload","matchedPath","matchedValue","some","singlePath","result","path","json","length","error","extractClaimName","regex","match","Error","evaluateInputDescriptorForSdJwt4VC","inputDescriptor","payloadCredential","_inputDescriptor$cons","constraints","fields","requiredDisclosures","optionalDisclosures","requiredClaimNames","optionalClaimNames","disclosuresAsPayload","allFieldsValid","every","field","optional","push","filter","validateSchema","compile","isNotLimitDisclosure","limit_disclosure","disclosure","includes"],"sourceRoot":"../../../../src","sources":["credential/presentation/07-evaluate-input-descriptor.ts"],"mappings":"AAEA,SAASA,QAAQ,QAAQ,eAAe;AACxC,SAASC,gBAAgB,QAAQ,UAAU;AAC3C,OAAOC,GAAG,MAAM,KAAK;AACrB,MAAMC,GAAG,GAAG,IAAID,GAAG,CAAC;EAAEE,SAAS,EAAE;AAAK,CAAC,CAAC;AACxC,MAAMC,gBAAgB,GAAG,CAAC;AAa1B;AACA;AACA;AACA;AACA;AACA,MAAMC,sBAAsB,GAC1BC,WAAoC,IACR;EAC5B,OAAOA,WAAW,CAACC,MAAM,CAAC,CAACC,GAAG,EAAAC,IAAA,KAAkB;IAAA,IAAhB;MAAEC;IAAQ,CAAC,GAAAD,IAAA;IACzC,MAAM,GAAGE,SAAS,EAAEC,UAAU,CAAC,GAAGF,OAAO;IACzCF,GAAG,CAACG,SAAS,CAAC,GAAGC,UAAU;IAC3B,OAAOJ,GAAG;EACZ,CAAC,EAAE,CAAC,CAA4B,CAAC;AACnC,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,MAAMK,gBAAgB,GAAGA,CACvBC,KAAe,EACfC,OAAY,KACW;EACvB,IAAIC,WAAW;EACf,IAAIC,YAAY;EAChBH,KAAK,CAACI,IAAI,CAAEC,UAAU,IAAK;IACzB,IAAI;MACF,MAAMC,MAAM,GAAGrB,QAAQ,CAAC;QAAEsB,IAAI,EAAEF,UAAU;QAAEG,IAAI,EAAEP;MAAQ,CAAC,CAAC;MAC5D,IAAIK,MAAM,CAACG,MAAM,GAAG,CAAC,EAAE;QACrBP,WAAW,GAAGG,UAAU;QACxBF,YAAY,GAAGG,MAAM,CAAC,CAAC,CAAC;QACxB,OAAO,IAAI;MACb;IACF,CAAC,CAAC,OAAOI,KAAK,EAAE;MACd,MAAM,IAAIxB,gBAAgB,CACvB,iBAAgBmB,UAAW,wCAC9B,CAAC;IACH;IACA,OAAO,KAAK;EACd,CAAC,CAAC;EAEF,OAAO,CAACH,WAAW,EAAEC,YAAY,CAAC;AACpC,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMQ,gBAAgB,GAAIJ,IAAY,IAAyB;EAC7D;EACA;EACA;EACA,MAAMK,KAAK,GAAG,yCAAyC;EAEvD,MAAMC,KAAK,GAAGN,IAAI,CAACM,KAAK,CAACD,KAAK,CAAC;EAC/B,IAAIC,KAAK,EAAE;IACT;IACA;IACA,OAAOA,KAAK,CAAC,CAAC,CAAC,IAAIA,KAAK,CAAC,CAAC,CAAC;EAC7B;;EAEA;;EAEA,MAAM,IAAIC,KAAK,CACZ,0BAAyBP,IAAK,wFACjC,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMQ,kCAAmE,GAC9EA,CAACC,eAAe,EAAEC,iBAAiB,EAAEzB,WAAW,KAAK;EAAA,IAAA0B,qBAAA;EACnD,IAAI,EAACF,eAAe,aAAfA,eAAe,gBAAAE,qBAAA,GAAfF,eAAe,CAAEG,WAAW,cAAAD,qBAAA,eAA5BA,qBAAA,CAA8BE,MAAM,GAAE;IACzC;IACA,OAAO;MACLC,mBAAmB,EAAE,EAAE;MACvBC,mBAAmB,EAAE9B;IACvB,CAAC;EACH;EACA,MAAM+B,kBAA4B,GAAG,EAAE;EACvC,MAAMC,kBAA4B,GAAG,EAAE;;EAEvC;EACA,MAAMC,oBAAoB,GAAGlC,sBAAsB,CAACC,WAAW,CAAC;;EAEhE;EACA;EACA,MAAMkC,cAAc,GAAGV,eAAe,CAACG,WAAW,CAACC,MAAM,CAACO,KAAK,CAAEC,KAAK,IAAK;IACzE;IACA;IACA;IACA,IAAI,CAAC1B,WAAW,EAAEC,YAAY,CAAC,GAAGJ,gBAAgB,CAChD6B,KAAK,CAACrB,IAAI,EACVkB,oBACF,CAAC;IAED,IAAI,CAACvB,WAAW,EAAE;MAChB,CAACA,WAAW,EAAEC,YAAY,CAAC,GAAGJ,gBAAgB,CAC5C6B,KAAK,CAACrB,IAAI,EACVU,iBACF,CAAC;MAED,IAAI,CAACf,WAAW,EAAE;QAChB;QACA,OAAO0B,KAAK,aAALA,KAAK,uBAALA,KAAK,CAAEC,QAAQ;MACxB;IACF,CAAC,MAAM;MACL;MACA,MAAMhC,SAAS,GAAGc,gBAAgB,CAACT,WAAW,CAAC;MAC/C,IAAIL,SAAS,EAAE;QACb,CAAC+B,KAAK,aAALA,KAAK,eAALA,KAAK,CAAEC,QAAQ,GAAGL,kBAAkB,GAAGD,kBAAkB,EAAEO,IAAI,CAC9DjC,SACF,CAAC;MACH;IACF;;IAEA;IACA;IACA,IAAI+B,KAAK,CAACG,MAAM,EAAE;MAChB,IAAI;QACF,MAAMC,cAAc,GAAG5C,GAAG,CAAC6C,OAAO,CAACL,KAAK,CAACG,MAAM,CAAC;QAChD,IAAI,CAACC,cAAc,CAAC7B,YAAY,CAAC,EAAE;UACjC,MAAM,IAAIjB,gBAAgB,CACvB,gBAAeiB,YAAa,eAAcD,WAAY,4CACzD,CAAC;QACH;MACF,CAAC,CAAC,OAAOQ,KAAK,EAAE;QACd,OAAO,KAAK;MACd;IACF;IACA;IACA;;IAEA,OAAO,IAAI;EACb,CAAC,CAAC;EAEF,IAAI,CAACgB,cAAc,EAAE;IACnB,MAAM,IAAIxC,gBAAgB,CACxB,iGACF,CAAC;EACH;;EAEA;EACA,MAAMgD,oBAAoB,GAAG,EAC3BlB,eAAe,CAACG,WAAW,CAACgB,gBAAgB,KAAK,UAAU,CAC5D;EAED,MAAMd,mBAAmB,GAAG7B,WAAW,CAACuC,MAAM,CAAEK,UAAU,IACxDb,kBAAkB,CAACc,QAAQ,CAACD,UAAU,CAACxC,OAAO,CAACN,gBAAgB,CAAC,CAClE,CAAC;EAED,MAAMgC,mBAAmB,GAAG9B,WAAW,CAACuC,MAAM,CAC3CK,UAAU,IACTZ,kBAAkB,CAACa,QAAQ,CAACD,UAAU,CAACxC,OAAO,CAACN,gBAAgB,CAAC,CAAC,IAChE4C,oBAAoB,IACnB,CAACX,kBAAkB,CAACc,QAAQ,CAACD,UAAU,CAACxC,OAAO,CAACN,gBAAgB,CAAC,CACvE,CAAC;EAED,OAAO;IACL+B,mBAAmB;IACnBC;EACF,CAAC;AACH,CAAC"}

package/lib/module/credential/presentation/08-send-authorization-response.js

@@ -0,0 +1,188 @@
+import { EncryptJwe, SignJWT, sha256ToBase64 } from "@pagopa/io-react-native-jwt";
+import uuid from "react-native-uuid";
+import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
+import { hasStatusOrThrow } from "../../utils/misc";
+import { disclose } from "../../sd-jwt";
+import * as z from "zod";
+export const AuthorizationResponse = z.object({
+  status: z.string().optional(),
+  response_code: z.string() /**
+                            FIXME: [SIW-627] we expect this value from every RP implementation
+                            Actually some RP does not return the value
+                            We make it optional to not break the flow.
+                            */.optional(),
+  redirect_uri: z.string().optional()
+});
+
+/**
+ * Selects an RSA public key (with `use = enc` and `kty = RSA`) from the set of JWK keys
+ * offered by the Relying Party (RP) for encryption.
+ *
+ * @param rpJwkKeys - The array of JWKs retrieved from the RP entity configuration.
+ * @returns The first suitable RSA public key found in the list.
+ * @throws {NoSuitableKeysFoundInEntityConfiguration} If no suitable RSA encryption key is found.
+ */
+export const chooseRSAPublicKeyToEncrypt = rpJwkKeys => {
+  const [rsaEncKey] = rpJwkKeys.filter(jwk => jwk.use === "enc" && jwk.kty === "RSA");
+  if (rsaEncKey) {
+    return rsaEncKey;
+  }
+
+  // No suitable key found
+  throw new NoSuitableKeysFoundInEntityConfiguration("No suitable RSA public key found for encryption.");
+};
+
+/**
+ * Prepares a Verified Presentation (VP) token to be sent as part of an
+ * authorization response in an OpenID 4 Verifiable Presentations flow.
+ *
+ * @param requestObject - The request object containing the nonce, response URI, and other necessary info.
+ * @param presentationTuple - A tuple containing a verifiable credential, the claims to disclose,
+ *                            and a cryptographic context for signing.
+ * @returns An object containing the signed VP token (`vp_token`) and a `presentation_submission` object.
+ * @param presentationDefinition - Definition outlining presentation requirements.
+ * @param presentationTuple - Tuple containing:
+ *    - A verifiable credential.
+ *    - Claims that should be disclosed.
+ *    - Cryptographic context for signing.
+ * @returns An object with:
+ *    - `vp_token`: The signed VP token.
+ *    - `presentation_submission`: Object mapping disclosed credentials to the request.
+ *
+ * @remarks
+ *  1. The `disclose()` function is used to produce a token with only the requested claims.
+ *  2. A new JWT is then signed, including the VP, `jti`, `iss`, `nonce`, audience, and expiration.
+ *  3. The `presentation_submission` object follows the OpenID 4 VP specification for describing
+ *     how the disclosed credentials map to the request.
+ *
+ * @todo [SIW-353] Support multiple verifiable credentials in a single request.
+ */
+export const prepareVpToken = async (requestObject, presentationDefinition, _ref) => {
+  var _presentationDefiniti;
+  let [verifiableCredential, requestedClaims, cryptoContext] = _ref;
+  // Produce a VP token with only requested claims from the verifiable credential
+  const {
+    token: vp
+  } = await disclose(verifiableCredential, requestedClaims);
+
+  // <Issuer-signed JWT>~<Disclosure 1>~<Disclosure N>~
+  const sd_hash = await sha256ToBase64(`${vp}~`);
+  const kbJwt = await new SignJWT(cryptoContext).setProtectedHeader({
+    typ: "kb+jwt",
+    alg: "ES256"
+  }).setPayload({
+    sd_hash,
+    nonce: requestObject.nonce
+  }).setAudience(requestObject.client_id).setIssuedAt().sign();
+
+  // <Issuer-signed JWT>~<Disclosure 1>~...~<Disclosure N>~<KB-JWT>
+  const vp_token = [vp, kbJwt].join("~");
+
+  // Determine the descriptor ID to use for mapping. Fallback to first input descriptor ID if not specified
+  // We support only one credential for now, so we get first input_descriptor and create just one descriptor_map
+  const presentation_submission = {
+    id: uuid.v4(),
+    definition_id: presentationDefinition.id,
+    descriptor_map: [{
+      id: presentationDefinition === null || presentationDefinition === void 0 || (_presentationDefiniti = presentationDefinition.input_descriptors[0]) === null || _presentationDefiniti === void 0 ? void 0 : _presentationDefiniti.id,
+      path: `$`,
+      format: "vc+sd-jwt"
+    }]
+  };
+  return {
+    vp_token,
+    presentation_submission
+  };
+};
+
+/**
+ * Builds a URL-encoded form body for a direct POST response without encryption.
+ *
+ * @param requestObject - Contains state, nonce, and other relevant info.
+ * @param vpToken - The signed VP token to include.
+ * @param presentationSubmission - Object mapping credential disclosures.
+ * @returns A URL-encoded string suitable for an `application/x-www-form-urlencoded` POST body.
+ */
+export const buildDirectPostBody = async (requestObject, vpToken, presentationSubmission) => {
+  const formUrlEncodedBody = new URLSearchParams({
+    state: requestObject.state,
+    presentation_submission: JSON.stringify(presentationSubmission),
+    vp_token: vpToken
+  });
+  return formUrlEncodedBody.toString();
+};
+
+/**
+ * Builds a URL-encoded form body for a direct POST response using JWT encryption.
+ *
+ * @param jwkKeys - Array of JWKs from the Relying Party for encryption.
+ * @param requestObject - Contains state, nonce, and other relevant info.
+ * @param vpToken - The signed VP token to encrypt.
+ * @param presentationSubmission - Object mapping credential disclosures.
+ * @returns A URL-encoded string for an `application/x-www-form-urlencoded` POST body,
+ *          where `response` contains the encrypted JWE.
+ */
+export const buildDirectPostJwtBody = async (jwkKeys, requestObject, vpToken, presentationSubmission) => {
+  // Prepare the authorization response payload to be encrypted
+  const authzResponsePayload = JSON.stringify({
+    state: requestObject.state,
+    presentation_submission: presentationSubmission,
+    vp_token: vpToken
+  });
+
+  // Choose a suitable RSA public key for encryption
+  const rsaPublicJwk = chooseRSAPublicKeyToEncrypt(jwkKeys);
+
+  // Encrypt the authorization payload
+  const encryptedResponse = await new EncryptJwe(authzResponsePayload, {
+    alg: "RSA-OAEP-256",
+    enc: "A256CBC-HS512",
+    kid: rsaPublicJwk.kid
+  }).encrypt(rsaPublicJwk);
+
+  // Build the x-www-form-urlencoded form body
+  const formBody = new URLSearchParams({
+    response: encryptedResponse
+  });
+  return formBody.toString();
+};
+
+/**
+ * Type definition for the function that sends the authorization response
+ * to the Relying Party, completing the presentation flow.
+ */
+
+/**
+ * Sends the authorization response to the Relying Party (RP) using the specified `response_mode`.
+ * This function completes the presentation flow in an OpenID 4 Verifiable Presentations scenario.
+ *
+ * @param requestObject - The request details, including presentation requirements.
+ * @param presentationDefinition - The definition of the expected presentation.
+ * @param jwkKeys - Array of JWKs from the Relying Party for optional encryption.
+ * @param presentation - Tuple with verifiable credential, claims, and crypto context.
+ * @param context - Contains optional custom fetch implementation.
+ * @returns Parsed and validated authorization response from the Relying Party.
+ */
+export const sendAuthorizationResponse = async (requestObject, presentationDefinition, jwkKeys, presentation, _ref2) => {
+  let {
+    appFetch = fetch
+  } = _ref2;
+  // 1. Create the VP token and associated submission mapping
+  const {
+    vp_token,
+    presentation_submission
+  } = await prepareVpToken(requestObject, presentationDefinition, presentation);
+
+  // 2. Choose the appropriate request body builder based on response mode
+  const requestBody = requestObject.response_mode === "direct_post.jwt" ? await buildDirectPostJwtBody(jwkKeys, requestObject, vp_token, presentation_submission) : await buildDirectPostBody(requestObject, vp_token, presentation_submission);
+
+  // 3. Send the authorization response via HTTP POST and validate the response
+  return await appFetch(requestObject.response_uri, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: requestBody
+  }).then(hasStatusOrThrow(200)).then(res => res.json()).then(AuthorizationResponse.parse);
+};
+//# sourceMappingURL=08-send-authorization-response.js.map

package/lib/module/credential/presentation/08-send-authorization-response.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["EncryptJwe","SignJWT","sha256ToBase64","uuid","NoSuitableKeysFoundInEntityConfiguration","hasStatusOrThrow","disclose","z","AuthorizationResponse","object","status","string","optional","response_code","redirect_uri","chooseRSAPublicKeyToEncrypt","rpJwkKeys","rsaEncKey","filter","jwk","use","kty","prepareVpToken","requestObject","presentationDefinition","_ref","_presentationDefiniti","verifiableCredential","requestedClaims","cryptoContext","token","vp","sd_hash","kbJwt","setProtectedHeader","typ","alg","setPayload","nonce","setAudience","client_id","setIssuedAt","sign","vp_token","join","presentation_submission","id","v4","definition_id","descriptor_map","input_descriptors","path","format","buildDirectPostBody","vpToken","presentationSubmission","formUrlEncodedBody","URLSearchParams","state","JSON","stringify","toString","buildDirectPostJwtBody","jwkKeys","authzResponsePayload","rsaPublicJwk","encryptedResponse","enc","kid","encrypt","formBody","response","sendAuthorizationResponse","presentation","_ref2","appFetch","fetch","requestBody","response_mode","response_uri","method","headers","body","then","res","json","parse"],"sourceRoot":"../../../../src","sources":["credential/presentation/08-send-authorization-response.ts"],"mappings":"AAAA,SACEA,UAAU,EACVC,OAAO,EACPC,cAAc,QACT,6BAA6B;AACpC,OAAOC,IAAI,MAAM,mBAAmB;AAIpC,SAASC,wCAAwC,QAAQ,UAAU;AACnE,SAASC,gBAAgB,QAAkB,kBAAkB;AAC7D,SAASC,QAAQ,QAAQ,cAAc;AAEvC,OAAO,KAAKC,CAAC,MAAM,KAAK;AAGxB,OAAO,MAAMC,qBAAqB,GAAGD,CAAC,CAACE,MAAM,CAAC;EAC5CC,MAAM,EAAEH,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC,CAAC;EAC7BC,aAAa,EAAEN,CAAC,CACbI,MAAM,CAAC,CAAC,CAAC;AACd;AACA;AACA;AACA,8BAJc,CAKTC,QAAQ,CAAC,CAAC;EACbE,YAAY,EAAEP,CAAC,CAACI,MAAM,CAAC,CAAC,CAACC,QAAQ,CAAC;AACpC,CAAC,CAAC;;AAEF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMG,2BAA2B,GACtCC,SAAiC,IACzB;EACR,MAAM,CAACC,SAAS,CAAC,GAAGD,SAAS,CAACE,MAAM,CACjCC,GAAG,IAAKA,GAAG,CAACC,GAAG,KAAK,KAAK,IAAID,GAAG,CAACE,GAAG,KAAK,KAC5C,CAAC;EAED,IAAIJ,SAAS,EAAE;IACb,OAAOA,SAAS;EAClB;;EAEA;EACA,MAAM,IAAIb,wCAAwC,CAChD,kDACF,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMkB,cAAc,GAAG,MAAAA,CAC5BC,aAAiE,EACjEC,sBAA8C,EAAAC,IAAA,KAK1C;EAAA,IAAAC,qBAAA;EAAA,IAJJ,CAACC,oBAAoB,EAAEC,eAAe,EAAEC,aAAa,CAAe,GAAAJ,IAAA;EAKpE;EACA,MAAM;IAAEK,KAAK,EAAEC;EAAG,CAAC,GAAG,MAAMzB,QAAQ,CAACqB,oBAAoB,EAAEC,eAAe,CAAC;;EAE3E;EACA,MAAMI,OAAO,GAAG,MAAM9B,cAAc,CAAE,GAAE6B,EAAG,GAAE,CAAC;EAE9C,MAAME,KAAK,GAAG,MAAM,IAAIhC,OAAO,CAAC4B,aAAa,CAAC,CAC3CK,kBAAkB,CAAC;IAClBC,GAAG,EAAE,QAAQ;IACbC,GAAG,EAAE;EACP,CAAC,CAAC,CACDC,UAAU,CAAC;IACVL,OAAO;IACPM,KAAK,EAAEf,aAAa,CAACe;EACvB,CAAC,CAAC,CACDC,WAAW,CAAChB,aAAa,CAACiB,SAAS,CAAC,CACpCC,WAAW,CAAC,CAAC,CACbC,IAAI,CAAC,CAAC;;EAET;EACA,MAAMC,QAAQ,GAAG,CAACZ,EAAE,EAAEE,KAAK,CAAC,CAACW,IAAI,CAAC,GAAG,CAAC;;EAEtC;EACA;EACA,MAAMC,uBAAuB,GAAG;IAC9BC,EAAE,EAAE3C,IAAI,CAAC4C,EAAE,CAAC,CAAC;IACbC,aAAa,EAAExB,sBAAsB,CAACsB,EAAE;IACxCG,cAAc,EAAE,CACd;MACEH,EAAE,EAAEtB,sBAAsB,aAAtBA,sBAAsB,gBAAAE,qBAAA,GAAtBF,sBAAsB,CAAE0B,iBAAiB,CAAC,CAAC,CAAC,cAAAxB,qBAAA,uBAA5CA,qBAAA,CAA8CoB,EAAE;MACpDK,IAAI,EAAG,GAAE;MACTC,MAAM,EAAE;IACV,CAAC;EAEL,CAAC;EAED,OAAO;IAAET,QAAQ;IAAEE;EAAwB,CAAC;AAC9C,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMQ,mBAAmB,GAAG,MAAAA,CACjC9B,aAAiE,EACjE+B,OAAe,EACfC,sBAA+C,KAC3B;EACpB,MAAMC,kBAAkB,GAAG,IAAIC,eAAe,CAAC;IAC7CC,KAAK,EAAEnC,aAAa,CAACmC,KAAK;IAC1Bb,uBAAuB,EAAEc,IAAI,CAACC,SAAS,CAACL,sBAAsB,CAAC;IAC/DZ,QAAQ,EAAEW;EACZ,CAAC,CAAC;EAEF,OAAOE,kBAAkB,CAACK,QAAQ,CAAC,CAAC;AACtC,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,sBAAsB,GAAG,MAAAA,CACpCC,OAA+B,EAC/BxC,aAAiE,EACjE+B,OAAe,EACfC,sBAA+C,KAC3B;EACpB;EACA,MAAMS,oBAAoB,GAAGL,IAAI,CAACC,SAAS,CAAC;IAC1CF,KAAK,EAAEnC,aAAa,CAACmC,KAAK;IAC1Bb,uBAAuB,EAAEU,sBAAsB;IAC/CZ,QAAQ,EAAEW;EACZ,CAAC,CAAC;;EAEF;EACA,MAAMW,YAAY,GAAGlD,2BAA2B,CAACgD,OAAO,CAAC;;EAEzD;EACA,MAAMG,iBAAiB,GAAG,MAAM,IAAIlE,UAAU,CAACgE,oBAAoB,EAAE;IACnE5B,GAAG,EAAE,cAAc;IACnB+B,GAAG,EAAE,eAAe;IACpBC,GAAG,EAAEH,YAAY,CAACG;EACpB,CAAC,CAAC,CAACC,OAAO,CAACJ,YAAY,CAAC;;EAExB;EACA,MAAMK,QAAQ,GAAG,IAAIb,eAAe,CAAC;IAAEc,QAAQ,EAAEL;EAAkB,CAAC,CAAC;EACrE,OAAOI,QAAQ,CAACT,QAAQ,CAAC,CAAC;AAC5B,CAAC;;AAED;AACA;AACA;AACA;;AAWA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMW,yBAAoD,GAAG,MAAAA,CAClEjD,aAAa,EACbC,sBAAsB,EACtBuC,OAAO,EACPU,YAAY,EAAAC,KAAA,KAEuB;EAAA,IADnC;IAAEC,QAAQ,GAAGC;EAAM,CAAC,GAAAF,KAAA;EAEpB;EACA,MAAM;IAAE/B,QAAQ;IAAEE;EAAwB,CAAC,GAAG,MAAMvB,cAAc,CAChEC,aAAa,EACbC,sBAAsB,EACtBiD,YACF,CAAC;;EAED;EACA,MAAMI,WAAW,GACftD,aAAa,CAACuD,aAAa,KAAK,iBAAiB,GAC7C,MAAMhB,sBAAsB,CAC1BC,OAAO,EACPxC,aAAa,EACboB,QAAQ,EACRE,uBACF,CAAC,GACD,MAAMQ,mBAAmB,CACvB9B,aAAa,EACboB,QAAQ,EACRE,uBACF,CAAC;;EAEP;EACA,OAAO,MAAM8B,QAAQ,CAACpD,aAAa,CAACwD,YAAY,EAAE;IAChDC,MAAM,EAAE,MAAM;IACdC,OAAO,EAAE;MACP,cAAc,EAAE;IAClB,CAAC;IACDC,IAAI,EAAEL;EACR,CAAC,CAAC,CACCM,IAAI,CAAC9E,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3B8E,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAC3E,qBAAqB,CAAC8E,KAAK,CAAC;AACtC,CAAC"}